My Heart Bleeds, but not because of "Heartbleed"

In talking about Internet "threats", I have used the analogy of the great Wildebeest migration across the Serengeti plain in Africa.  Most of us have seen the nature shows portraying the risks to the herd.  Most of them make it across, but the weak, the young, and the infirm that fall behind the pack are vulnerable to the wild Cheetah or a pack of Hyenas.  

Sadly, this is the case on the World Wide Web.  Yes, you are the Wildebeest, and just how strong and fast are you?  The recent "Heartbleed" infection is just the latest Cheetah, part of wave after wave of threat that have emerged continuously over the past decade or more.  To learn more about this threat and get great advice, I recommend this article from NPR: http://n.pr/1jy7ZxA.

Many writers have pointed out the quietness and undetected persistence of this infection as a cause for serious alarm.  Do they really think that infected websites have not been a problem up until now?  What gets them frothing is that a chestnut of the open source community, OpenSSL is the attack vector, and it is very widely used on very respected websites.  So, yes, it is substantially more pervasive and threatening than preceding threats.  This changes nothing for most Internet users.

The NPR article concludes with five recommendations.  I wholeheartedly recommend all of them plus one more: adopt and use a password manager.  We use “LastPass”.  There are some hassles getting used to managing your passwords with a password manager, but most of the process has been pretty well automated by them.  I have tested “DashLane”, and many prefer that one.  I found that the application hindered some aspects of my Windows computer’s performance, and so I discontinued the use of it. (It was publicly recommended by David Pogue of Yahoo Tech and formerly of the New York Times, who uses a Mac for his primary system, and who has written about Apple and the Macintosh extensively). DashLane (dashlane.com), works on Apple Macintosh, Windows, iOS, and Android devices and most browsers.  LastPass (lastpass.com), works on those platforms plus Linux and Blackberry.  Both are free to use on one device, but cost money to use on multiple devices with passwords syncing across all of your devices.  We use the paid version of LastPass to get the sync function. Please take the time to learn how the password manager can help you be more secure by setting hard to crack passwords which you don't have to worry about remembering.

Finally, the NPR article includes tools to check the important sites that you visit, so you can tell whether the site is infected, or was vulnerable to the attack.  Since most of us don't have time to chase all of that down, the advice of the NPR article is the thing to put your precious time into.

My wonderful wife has changed all of our personal and business financial service website passwords this week as a precaution.  I recommend that you do the same.

CryptoLocker...Beware!

From time to time the threat landscape changes in a way that persuades me to contact my clients and let them know that heightened awareness and caution are needed.  This is one of those times.

I will start this advisory with advice that must be passed around as thoroughly as possible to computer users everywhere. 

Do not respond in any way to an email that proposes anything that you were not very specifically looking for. 

Never click a link in an email unless you asked for the link from someone that you know, and they gave it to you directly.

If you receive a warning about a service that you use, go directly to the website of the service that you use in the way that you typically access it, such as using a bookmark or typing in the address into the address bar of your web browser.  If the message is valid, the warning will be on the site.

If you receive a warning about a service or account that you don’t know about or know that you do not have or use, disregard the email and delete it.

Read Internet search results carefully when searching online for information.  Only navigate your web browser to domains that you know and trust.

A relatively new form of malware, (read as a general term for “computer virus”), called CryptoLocker has been on the loose in the Internet for several weeks.  It is a type of infection that we call “Ransomware”, because the attackers have designed the program to deprive you of access to the data on your own computer with the promise to restore your access once you pay them a certain amount of money.  In the past, these types of attacks typically changed an attribute of your data file that made it invisible, but an experienced technician could easily restore access to the files after cleaning the infection off your computer.

Not so with CryptoLocker.  The problem with CryptoLocker is that it actually puts all of your data files into an encrypted data file that is encrypted in a way not breakable by any means available outside of national security agencies.  CryptoLocker starts to perform this encryption and removal of your data files immediately after your computer is infected, and once complete, a message arises that informs you that you have 72 hours and counting to pay $300 in BitCoin or MoneyPak, (untraceable payment methods).  The screen contains a countdown timer that shows when your time is up, at which point the CryptoLocker servers delete the private key necessary to decrypt your data, and your data is lost.

If you see the window on your computer showing this message, it is very probably too late for ABN or anyone else to do anything about your data.  The best thing to do is to shut down your computer by holding down the power button for five seconds, and then  remove all network connections from the computer.

If your computer is connected to a network server sharing files, CryptoLocker will attempt to encrypt those files and it will succeed if you have read/write access rights to those files.  Server data may be recovered from backup, however most personal computer hard drives are not backed up.  If an external backup drive is connected to your computer at the time of infection, CryptoLocker will encrypt the backup, making it unavailable to you, as well as open DropBox, Google Drive, SkyDrive, or Jungle Disk connections.

There is no guarantee that you will receive your data back if you pay the $300 because law enforcement agencies are chasing the key server locations and shutting them down if they find them, which has the effect of canceling any outstanding ransoms in the process, and losing the data for those ransoms.  In most cases, paying the ransom will unlock your data because the validity of the promise is what is making this threat so profitable.

Finally, because this threat has been so successful financially, it is likely that the number and type of threats similar to CryptoLocker will grow.

On an upbeat note, no clients of ABN have yet experienced this infection.  We are doing our best to maintain your antivirus software at current revisions and updates if you are relying on us for that service.  At this time, this is the best effort that we can make, along advisories like this one.

 

Cyberkey - TNO for YOU

Nate Abbott

Abbott Business Networks

(All Rights Reserved)

Today I was introduced to a new security product that will shortly be released to market called Cyberkey (http://cyberkey.com).  The concept is simple:

1. Download Cyberkey.  

2. Install Cyberkey (after installing one prerequisite), 

3. Plug two USB sticks into your computer successively as directed, which converts them into special USB keys.

Result:  An encrypted folder appears on your hard drive, Google Drive folder, or DropBox folder, that is locked with the best available encryption and only when you insert your "personal" USB key into your computer.  When you remove the personal USB key from your computer, the folder disappears into a vault that is practically inaccessible to the most powerful super computers in existence.

The USB key that makes your data appear is the second USB stick processed in step 3 above.  The first USB key is your master key, and it allows you to produce replacement keys.  Here is the explanation from the Cyberkey website: "The Master Key holds the keys needed to unlock your Vault. The Personal Key holds scrambled versions of those keys - descrambling requires a PIN that you choose during setup. You keep the Master Key someplace safe - in case you lose your Personal Key - and carry the Personal Key with you."

The secret sauce that makes Cyberkey work is TrueCrypt, which is an open source encryption package that many of us in the industry know and have used to secure data for years.  That is the “prerequisite” that is easily installed before Cyberkey can run.  It is a package that Information Technology professionals, engineers and the like find accessible and easy to use, but average computer users may find baffling.  Cyberkey leverages TrueCrypt's strength, very strong encryption based on the most advanced and reliable crypto in circulation anywhere, and wraps it in a simplifying package that makes it very easy for anyone to use, and to understand the rules about.

The key acronym here is "TNO", or "Trust No One".  If you are in any way concerned about data on your computer becoming known at any time by people who you do not know or trust, then what you want is TNO security.  If you rely on a third party to secure your data, either on your hard drive or in "the cloud", then you are subject to not only the laws governing search and seizure under probable cause, but also the potentially unconstitutional searches that our National Security Agency may conduct.  If you are using truly "TNO" security, then it doesn't matter who gets your data, or who gets access to your data on a third-party storage platform.  Nobody can look at your data because the keys are required to unencrypt the data.  If you destroy the keys, you remove access to the data.  Only your passphrase and TrueCrypt can open the data vault back up, and arguably you cannot be compelled to testify against yourself and give up a thing that you know, such as a passphrase.  As the encryption guru Bruce Schneier says, "Trust the Math".

Such is the extreme reasoning that some of us think about when we consider privacy, however there has been a broader discussion about the new surveillance state that has arisen since 9/11 in the United States and elsewhere in the world.  Democracies are for the first time organizing totalitarian-regime-like surveillance capability that involves intensive analysis of signals as well as data.  Signals would be the stuff that the law permits government agencies to look at without any court approval: TCP/IP addresses, email header information such as "from" and "to" email addresses, time-stamps, cell phone numbers and routing data.  These signals can tell a great deal about us, and they are used by the agencies to establish a cause of further investigation, which may include examining the contents of email messages, text messages, and communications that would be protected under the constitution, but are available to agencies that are engaged in national security protection and anti-terrorism.  Most of my readers will be aware that this discussion has escalated since the defection of Edward Snowden and his revelation of secret NSA documents published by The Guardian and other newspapers internationally.

Regardless of what you feel about our security state and the legitimacy of the Snowden activity, we are affected deeply by the idea that we are being watched.  We need to know that things we want to maintain privately may remain private.  It is our right as citizens of the USA.  There may also be quite a few good business and personal security reasons. The business opportunities are fairly obvious: Law firms dealing with sensitive case material that opponents might be eager to compromise.  Business partners planning a merger, acquisition or sensitive product development effort with valuable intellectual property.  Small business owners with personnel trouble.  All could find this useful.

For this reason, I am enthusiastic about Cyberkey and its accessibility to common computer users, not just the geeky ones who have known and loved TrueCrypt.  If you have two spare USB flash drives of any capacity, including small capacity ones that cost less than $7.00 at Staples or Walmart, and if you have a computer running Windows 7 or later, you can try out Cyberkey for free like I did.  Just go to the Cyberkey website at www.cyberkey.com and follow the simple prompts.  

I spoke to Fred Federspiel, the developer, and he is planning some great extensions to the product once it gets launched and off the ground, including Apple Macintosh support.  Fred has a long background as an engineer and inventor, and I think he is onto something here, bringing Crypto to the masses in a very accessible way. Give it a try and let Fred know what you think.

 

Your employees may not like me for this...

This story has been evident to me for a long time, and it is a real problem in an office where there is a culture of trust and freedom around computer use, especially when a new employee brings bad online habits into the workplace.  I have seen such a situation bring a whole company to a standstill when the consequence is a severe malware attack, a sexual harassment situation, or simple discipline problems.

Windows 8.1…really?

So, a couple of days after the developers who attended Microsoft’s “Build” 2013 conference, and the various tech journalists and bloggers who took advantage of Microsoft’s “preview” offer, I have downloaded and installed the preview.  I am afraid that my response is the refrain from that old song…”is that all there is?”

This is not a fair response to what is in its entirety, a very good effort by Microsoft to address concerns in the marketplace for its products, while at the same time attempting to maintain a vision upon which its future almost entirely depends: the integration of a common user experience across all Windows devices: phone, tablet, laptop, desktop.  There has never been an effort undertaken by any company in history comparable to what Microsoft is working on today.  And let me take the opportunity now to congratulate Microsoft for firing the acrobatic hipsters that have been advertising its surface tablet in favor of TV advertising that actually does a good job of articulating their vision, and selling some of the sizzle of it.

So now that I have been fair to Microsoft, I need to say why I feel so blasé about this release.  For context, when I started my career in Information Technology, the personal computer was used by a fraction of the population.  These were geeks and nerds who felt they could get an edge by using a personal computer instead of a calculator, a typewriter, and possibly a little timeshare access at the local university.  The transition in user interface for Microsoft (and Apple) customers at that time, (1984 to 1992), was from a blank, black or green screen with a single line of three or more monochrome text characters followed by a blinking cursor, to a screen with rectangular windows, icons and a mouse pointer.  In the former, we were invited to type something on the keyboard.  In the latter we were invited to “click”, which we rapidly learned to do.

Some very prominent journalists at the time opined that the mouse was a fad, and that the “GUI” (for Graphical User Interface) would die out in favor of our old and utilitarian command prompt.  For some really delightful and informed perspective, I recommend Neal Stephenson’s “In the Beginning was the Command Line”, which can be downloaded here:  http://www.cryptonomicon.com/beginning.html.

So after watching the windowed interface, both Macintosh and Windows, overwhelm the civilized world in the space of a half-decade, it is with some disbelief that I witness the rejection of Windows 8 on the basis of “too jarring a change in user interface design”.  I am not quoting anyone in particular, however I believe that I am quoting the opinion of just about every journalist and blogger who has attempted to explain this phenomenon. 

There have been reports of machinations within Microsoft over the degree to which “helpers” and tutorials should have been asserted or withheld in the new operating system, some believing that too many tutorial links would scare people off, and too many options similar to the older Windows versions would stifle the adoption of the new “Modern UI” (or Modern User Interface) that Microsoft proposes for all Windows apps on every platform.  Ironically, when they succeed, there will be no “windows” in Windows!

Truly, most of us that make this transition regularly, upgrading to every new version of Windows every time it is released for the various reasons that we have, adopt a mode of using the new operating system that most allows us to work in the way we are familiar with.  In this way, Windows 8 was very, very new indeed.  I had the choice to use my desktop Outlook program, or my Windows 8 store Windows mail program.  I could install my desktop Skype app, or use the Windows 8 store version of Skype.  Most jarring was the browser choice.  The two most popular browsers available on Windows 8, Chrome and Internet Explorer, both run in a desktop mode, or a Modern UI mode, which in the case of Internet Explorer turns the user experience of the browser literally upside down.

So, within a week of loading up Windows 8 this winter, I made some choices.  The desktop software was richer and more stable.  The Windows 8 Modern UI app store was a little sparse, and many of the programs that I already was using on the desktop were not as mature and full featured in the Modern UI.  This was easy: figure out how to get to the desktop, and then work in that environment as much as possible.  Having made these choices, Windows 8 became splendid!  It is faster, more stable, and has features that really advance the Windows platform.

The “Start screen” simply became an alternative to the “Start menu”, and again, within about two days’ time, I had figured out how to get to everything that I used to get to in the Start menu.  Oh, and by the way, THE START SCREEN IS MUCH, MUCH BETTER THAN A START MENU!!!!

Coming back to Windows 8.1, if you take away all of the enhancements to the Microsoft Store, the extensions to Windows Search, and internal improvements to the operating system, the big change in Windows 8.1 is a little windows icon in the lower left-hand corner to give you a queue as to where the start screen is, a better organized start screen that more quickly allows you to browse every app and setting on the system, and the ability to boot to desktop. 

So, I am underwhelmed.  But my dissatisfaction with this release has more to do with a deeper ennui about what this is saying about Microsoft’s position in the world now, 29 years hence the GUI.  We have Windows 8.1 now largely because of a reported double digit sag in PC sales year over year in the first quarter of 2013.  Windows 8 took the blame for that, and Microsoft was forced to respond.  But if we are really so lazy as to not google a couple of pages for the ubiquitous YouTube videos that explain everything you need to know about running Windows 8, can it really be the absence of an icon and a few features that will make the difference?  Isn’t it true that PC sales are simply being swamped under an avalanche of iPads and Android tablets and phablets and schmablets?

I am delighted with Windows 8, and I am equally delighted with Windows 8.1.  These have provided me with entertainment while I go about my work, and they have improved the overall experience as well as the product that I produce.  That being said, I am stubbornly sticking to the desktop and I remain well on the sidelines with respect to the Windows 8 vision of a unified experience.  I carry an iPhone, and I use a Nexus 7 tablet in the house.  That may make me Microsoft’s worst nightmare.

Significant upgrade to SpamSoap

http://spamsoap.com/threat-center/

Please note these significant enhancements to the SpamSoap service.  The bottom line for my clients is this:

If you click on a web link in an email after SpamSoap has enabled this service on May 13, your click will be redirected through an AntiMalware gateway that will pre-scan the website and determine if the link is malicious.

If the link is malicious, you will receive a notification Window from the AntiMalware gateway rather than reaching the infected website and downloading the malware to your computer.

This is a major development for us because SpamSoap has distinguished between “scan-time”, and “click-time” infection states, meaning that an email might carry a link that is benign in transit to the recipient, but becomes infected after the message has passed through our scanning mechanisms and been approved for delivery.  Even in such a case, because this capability includes “click-time” testing, the user is protected.

Since email borne web links have become the most potent vector for malware infection to our clients, we feel that this improvement is a major step in removing this category of threat.

KILLING UPDATE FOR THE DYING DESKTOP PERSONAL COMPUTER

http://arstechnica.com/security/2013/04/microsoft-tells-windows-7-users-to-uninstall-faulty-security-update/

This is an opportunity to give you a little delayed warning about a Microsoft update.  Sadly, if you are a corporate Kasperky antivirus user, or if you have lagged behind in updating your Kaspersky protection to the latest version, you may have already found out about this update the hard way.  

Short version of the linked article: Everyone should remove Microsoft update 2823324, which was distributed in the latest "update tuesday" round of Windows operating system updates.  It has the possibility of causing your system to become un-bootable.  If you don't know what "un-bootable" means, it means that you will lose the use of your computer entirely until the problem is resolved.

Happily, if your System Restore capability is enabled in Windows 7, which it is by default, you should be able to get your system back up and running, but it may take some finagling with bootable operating system media.  If your head is swimming and you are feeling nauseous, please contact your trusted computer service provider. They will take care of you pretty easily.

So, what about the dying desktop personal computer?  Reports published in the Wall Street Journal indicate that personal computer sales fell more than 13% since last year, and last year was not a particularly good year for those sales.  WSJ used the term "free fall".

Ever since Apple released the iPad in 2010, this day was inevitable.  The iPad product has been a smash hit, and this year, the entire computer industry is finally offering competing products that are not first time experiments in mimicry.  We all have only so much appetite for electronics, and inevitably, many of us have decided that we can do fine with our desktop computer at work, and only use a smartphone and/or a tablet computer at home.  

For years I have thought that the requirement to lay out $1,000 or more for a system that we really don't want in our homes was not sensible.  The conventional personal computer was designed for "desktop productivity", not for casual communication and entertainment, which is what most of us do on our home devices.  $300 to $800 seems like a much more reasonable proposition for most of us.

In conclusion, the drop in sales is simply the other shoe of the explosion of sales in smartphones and tablets.  We are finally getting what we want, and that is not such bad news at all, if we all feel better about our lives as a result.